Win2k runaway stealth process

[boa]

I built this computer for a friend:
Asus a7v333, 256MB, athlon 1800+, geforce2 gts-v, maxtor 80gb, zoom pci 56k modem, and Win2k.

The problem is that the system now has a runaway process, Winkgw.exe The process is consuming at least 1/3 of the cpu. I cannot identify where/what it is. When I search the disk for Winkgw.exe, it cannot be found. I can start->run Winkgw.exe and it runs!!! I searched for Winkgw.exe, Wink*, Wink*.* and Winkgw*.*

Any idea on how I can find this file?

I had a POS Gateway usb keyboard connected to the computer. It was running the Netropa keyboard software and generating constant osd.exe errors.
I am afraid Winkgw is Win(dows)k(eyboard)g(ate)w(ay).

 

[n0cmonkey]

It looks klez related, but I cant find any English links on information about it...

 

[Saltin]

Im pretty sure that's not Klez or EKlern ( the damage dealing virus Klez drops)

I would recommend looking into regedit, and the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Look and see if your trouble service is listed there. If it is, remove it. It's not an essential service, that's for sure.

EDIT:

I should add that since you can run the exe for the service from the run line, it must be in a folder defined in the PATH. Likely winnt or winnt\system32, but who knows. You can check to make sure no crazy entry was added to your PATH variable in the Environmental Variables of System Properties.

Also, if you find reference to the service in your registry under the key above, it will contain the entire path to the exe.

Remove the exe and remove the reg key, it shouldnt bother you anymore.

 

[SoulAssassin]

Originally posted by: Saltin
Im pretty sure that's not Klez or EKlern ( the damage dealing virus Klez drops)

I would recommend looking into regedit, and the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Look and see if your trouble service is listed there. If it is, remove it. It's not an essential service, that's for sure.

EDIT:

I should add that since you can run the exe for the service from the run line, it must be in a folder defined in the PATH. Likely winnt or winnt\system32, but who knows. You can check to make sure no crazy entry was added to your PATH variable in the Environmental Variables of System Properties.

Also, if you find reference to the service in your registry under the key above, it will contain the entire path to the exe.

Remove the exe and remove the reg key, it shouldnt bother you anymore.

Agreed, might also want to verify that when you're searching that you're including hidden files. If it is in fact a GW keyboard utility I wouldn't imagine that it would be hidden, but hey, I've seen stranger.

 

[boa]

I checked the PATH. It was:
PATH = C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem

I then checked those directories and could not find the Winkgw file

How would I search for a file that was hidden?

Also, it starts at bootup. Any idea on how to track it?

I'll check the registry tomorrow.

Thank You SO MUCH for the help.

 

[Saltin]

Most apps that start up automatically need to make an entry in that registry key, so it's definetly worth a look.
80% of the common viruses do too.

 

[n0cmonkey]

The only reason I thought it might be klez was because I did a google search and the only things that came up were in another language. I saw klez mentioned, but I couldnt read it

Make sure to get an anti-virus program and keep it up to date, no matter what it is.

 

[boa]

will do!

Thank You SO MUCH for the help!!!

Actually, thinking back, the virus idea is a very good match. His home computer computer was infected last week! Seems like a little more than just a coincidence.